I'm Jeff Williams, I work as CEO of [http://www.aspectsecurity.com Aspect] [https://www.aspectsecurity.com Security] and I serve as the volunteer Chair of the OWASP Foundation. I’ve dedicated my life to trying to make the world’s software more secure, and so I create lots of free and open tools, libraries, guidance, and standards to try to change the status quo. Thank you all for your dedication to application security and your participation in OWASP. Please send any questions or comments to me via email at [mailto:jeff.williams@owasp.org jeff.williams@owasp.org]. Or you can twitter @planetlevel.

+

I'm Jeff Williams, I work as CEO of [http://www.aspectsecurity.com Aspect] [https://www.aspectsecurity.com Security] and I served as the volunteer Chair of the OWASP Foundation from 2003 to 2012. I’ve dedicated my life to trying to make the world’s software more secure, and so I create lots of free and open tools, libraries, guidance, and standards to try to change the status quo. Thank you all for your dedication to application security and your participation in OWASP. Please send any questions or comments to me via email at [mailto:jeff.williams@aspectsecurity.com jeff.williams@aspectsecurity.com]. Or you can twitter @planetlevel.

We’re still a long way from the point where a company can go to OWASP for everything they need in order to build, acquire, and operate secure applications… but we’ve got an incredible process and we’re working very hard to get there.

We’re still a long way from the point where a company can go to OWASP for everything they need in order to build, acquire, and operate secure applications… but we’ve got an incredible process and we’re working very hard to get there.

−

I have a wonderful wife Jennifer and three kids, Chance (12), Zack (10), Zoe (3), and Tyler (1). We live in the woods and spend a lot of time outside with our three Labrador retrievers. I’m very much into sports – I rowed on the crew team at U.Va. and still play basketball three times a week. For a while I was into extreme rollerblading and then I got into mountain bike trials – I broke a lot of equipment, but never had any serious injuries :)"

+

I have big family and absolutely love my kids. We live in the woods and spend a lot of time outside with our two Labrador retrievers. I’m very much into sports – I rowed on the crew team at UVA and still play basketball three times a week (if you meet me you'll know why). For a while I was into extreme rollerblading and then I got into mountain bike trials – I broke a lot of equipment, but never had any serious injuries :)"

==Articles / Presentations==

==Articles / Presentations==

Revision as of 20:45, 19 July 2012

I'm Jeff Williams, I work as CEO of AspectSecurity and I served as the volunteer Chair of the OWASP Foundation from 2003 to 2012. I’ve dedicated my life to trying to make the world’s software more secure, and so I create lots of free and open tools, libraries, guidance, and standards to try to change the status quo. Thank you all for your dedication to application security and your participation in OWASP. Please send any questions or comments to me via email at jeff.williams@aspectsecurity.com. Or you can twitter @planetlevel.

Background

I set out to be a user interface guy, but I got into security accidentally. I was working at TRW in 1992 on the user interface for a big Navy system that just happened to be highly secure – targeting B2 in the Orange Book. I took on an R&D project to port the user interface to the new compartmented mode workstation (what became Trusted Solaris) and I found that I really liked the challenge of securing such a complex system.

Then Java 1.0 came along and I got NIST and NRL funding to do security research. At the time, we thought the Java sandbox was a good idea, but that there were attacks that might bypass it. So I wrote a special classloader that modified the bytecode to wrap security relevant method calls with a reference monitor. After that I spent several years developing a Java-based multilevel secure network guard on Trusted Solaris. That guard handled HTTP, FTP, TDS, and a number of other protocols – sort of a very early application firewall. But unlike the modern WAFs, we took a whitelist approach where you would define exactly the data formats and rules for allowing messages.

In the mid-90’s, I chaired the group that authored the SSE-CMM, which is now ISO 21827. As it turns out, the processes involved in systems security engineering are quite similar to those necessary for secure software development. I’m very glad to see that the idea of assurance arguments from my work is starting to be used in the application security world.

Then in 1998, while I was the technical director of the Global Security Practice at Exodus Communications, a Fortune 10 company approached us and said “We’d like to host our applications with you, but we have this rule – every line of code has to be reviewed before it goes on the Internet.” So I started an application security practice and started providing application assessments, developer training, and help with security requirements and architecture. We built a successful practice securing some of the biggest and most complex web applications in the world.

In April 2002, together with Dave Wichers, Noelle Hardy, and some other great folks, I started Aspect Security to focus exclusively on application security. I just feel so fortunate to get to work with such an amazing group of consultants and customers. I’m having the most fun of my professional career.

I first heard of OWASP in 2001 from Chuck Pfleeger (the author of Security in Computing). The idea of a free and open community for application security was an interesting idea. At the time, getting companies to focus on application security was difficult. In meetings with several government agencies, they acknowledged that it was an issue, but that they were managing to the SANS Top 20. I came home and literally in the shower said to myself, “I wish we had an application security top ten…” So a small team of us at Aspect took the lead in drafting the first OWASP Top Ten.

Later, Aspect donated WebGoat, a hands-on training environment for application security issues that we had developed for our courses. A huge number of organizations, including Google, use WebGoat today to teach their developers about application security. We started to see that participation in OWASP allowed Aspect to demonstrate our skills in a very constructive way, and many of our customers have contacted us after seeing our participation in OWASP.

I was honored to take over the leadership of OWASP in 2003. At that time, we had a number of great contributors, but OWASP itself was just a domain name and a few small projects. So I got us set up as a 501c3 nonprofit organization and put a management structure in place. I want the OWASP Foundation to provide a free, open, supportive community infrastructure for application security projects. We’re making the barriers to entry for contribution so low that security experts will be motivated to make the effort and share their expertise.

One of the key challenges has been to ensure that OWASP is not influenced by commercial interests. When I set up the AppSec conference and local chapter rules, I made sure that vendors are cannot use OWASP to market their products. We’re also starting to ferret out abuse of the OWASP brand by companies that claim their products “address the OWASP Top Ten” or enable “OWASP Compliance.” The local chapters have been growing very quickly and starting to contribute back to the mothership. Our conferences have also been a great experience.

I think the switch to the MediaWiki platform in 2006 was a major step for OWASP. Prior to that, contributing content was a difficult and painful process. Now, anyone can create an account and contribute easily. We have a team set up to review all the contributions and the number of abuses in our first year has been astoundingly low (less than 10 incidents). We’re to the point now where we get dozens of articles and contributions every day. I don’t see how a non-open approach to building an application security body of knowledge can possibly keep up with our productivity.

We’re still a long way from the point where a company can go to OWASP for everything they need in order to build, acquire, and operate secure applications… but we’ve got an incredible process and we’re working very hard to get there.

I have big family and absolutely love my kids. We live in the woods and spend a lot of time outside with our two Labrador retrievers. I’m very much into sports – I rowed on the crew team at UVA and still play basketball three times a week (if you meet me you'll know why). For a while I was into extreme rollerblading and then I got into mountain bike trials – I broke a lot of equipment, but never had any serious injuries :)"